photo-dave - Fotolia

Encryption debate needs to be nuanced, FBI's Comey says

FBI Director James Comey brought the encryption debate back to the forefront by asking for a 'nuanced and thoughtful' conversation on the topic before there is a serious attack.

With the fire around the backdoor encryption debate dying down, FBI Director James Comey doesn't want the conversation to flame out before the American people can decide on a path forward.

Speaking at a symposium at the University of Texas at Austin, Comey spoke about national security, counterterrorism and how the FBI is dealing with cyberthreats, while also focusing on the issue of "going dark" by continuing his call for an "adult conversation" in the encryption debate.

Comey insisted he loves encryption, but his job creates conflicting issues with the technology:

"I love encryption. I'm just [going to] keep saying that. I love encryption. I love privacy on the internet. I have an Instagram account. I have nine followers. They are all related to me ...  and one daughter's serious boyfriend, because it's serious enough now and I finally accepted his request. And I post pictures. I don't want anybody else looking at that," Comey said. "I treasure my privacy. But I also have another obligation, given my job: It's to protect innocent people from bad things. Those two things that we all love -- privacy and public safety -- are crashing into each other. They're crashing into each other."

Comey said between October and December of 2016, the FBI was presented with 2,800 devices with court orders to open them. But "43% of them, we could not open with any technique, including classified techniques. That is a shadow falling across our work. Default, ubiquitous strong encryption has a significant impact on our world."

"As those devices become off-limits to judicial authority, that's a change in the way we live. And the fundamental compact should not be changed by the FBI -- no way. We investigate. Our job is to tell you how it's affecting our work; we should not decide what to do about it," Comey said. "But it should not be done by companies whose job it is to sell me an awesome, awesome mobile device. Their job is not to decide how the American people should live. The American people should decide how they live."

Rebecca Herold, CEO of Privacy Professor, said, "Comey is just blaming his problems with figuring out how to infiltrate terrorist and nation-state groups that share data for investigations on encryption instead of his lack of innovative ideas for other ways to get the data. Encryption should never be a scapegoat for the shortcomings of federal agency investigations."

Comey did his best to present his view of the encryption debate as he saw it from a law enforcement perspective and urged the crowd that there needed to be a "nuanced and thoughtful" discussion on the matter before it becomes too late.

"We can't have this conversation after something really bad happens. And, look, I don't want to be a pessimist, but bad things are [going to] happen. And even I -- the director of the FBI -- do not believe that we can have thoughtful conversations about optimizing things we care about in the wake of a serious serious attack of any kind," Comey said. "Not only is our room getting darker, but we're wasting time to try to figure out how thoughtful people would resolve this conflict, because we won't be able to have that conversation later."

The problem, as Comey sees it, is technology companies and privacy advocates have taken the stance in the encryption debate that there is no way to provide both strong encryption and access for law enforcement.

"I reject the 'it's impossible' response. I don't think it's impossible to optimize in a good way those two values. I don't. I just think we haven't actually tried it," Comey said.

"And maybe, as a country, we'll decide the benefits here are so extraordinary and the dangers and the risks and the complications over here to address the public safety concerns are so hard, it's not worth doing. Or, it's just too hard for our adult democracy to grapple with," Comey continued. "Maybe. But I will not let it happen by default, by drift."

Herold said the government "needs to accept that encryption is a technology tool that will always be available, from hundreds or thousands of sources outside of their realm of authority. And so instead of spinning their wheels trying to figure out how to fix a problem that does not exist, they need to spend more time identifying what actions they can take to help them get the insights they want."

"They cannot realistically expect for the IT world to stop cryptography innovation to create better and stronger encryption to make things easier for government spies," Herold said. "A backdoor is a point of exploit for any type of actor. Any entry point of any kind is a potential exploitation point. The more ways you have to decrypt data, the higher the risk that a malicious character will exploit the inevitable ways that exist to then use any of the backdoors, front doors, side doors and trapdoors that are built within the technology. If not early on when the backdoor is established, then almost certainly as technology advances."

The encryption business model

Comey admitted it would require a change in business model, but experts inside the U.S. government and private sector said it is ultimately "a business model decision."

"Take the FBI's business model: We equip our agents with mobile devices that I think are great mobile devices, and we've worked hard to make them secure. We've designed it so we have the ability to access the content, and I don't think we have a fatally flawed mobile system in the FBI," Comey said. "And I think nearly every enterprise that's represented here probably has the same. You retain the ability to access the content."

Comey noted that "the deal in America since its founding has always been: There's no such thing as absolute privacy."

"The deal is, and has been since the founding, all of our papers and effects, all of our things are private ... unless the people of the United States need to see it. And then, with appropriate predication and oversight, they can see it," Comey said. "Even my communications with my clergy member, my spouse, my attorney are not absolutely private in America. In appropriate circumstances -- rare, thankfully -- a judge can order that I talk about any of those communications, or that any of those partners of communication talk about what I said. There's never been absolute privacy in America, except now."

He said he understood that device makers and software developers "really don't have an incentive to deal with, to internalize the public safety harm ... Their job is to worry about innovating and selling more units," but urged that we need to find a way to "optimize those two things" without it being law enforcement or technology companies making the final decision in the encryption debate.

"The default has become the darkness, and so what has happened is the darkness is spreading through the whole room. Now, so far, I haven't offered you a value judgment on that; I'm just telling you what is happening. We need to talk to each other to figure out how we feel about that," Comey said. "Is that a bad thing? Is that a good thing? What are the costs associated with that? What are the benefits on the privacy side of the way we are? But we shouldn't kid ourselves that we're not changing."

Herold said, "The reality is that we do not have an encryption problem. We have a problem with how the government is focusing solely on what they cannot do instead of considering what they can and should do instead. There can always be a workable solution; it would be a horrible, noneffective, more-harmful-than-good solution to require businesses and tech companies to use an inherently flawed framework upon which to build their products."

Kevin Bankston, internet rights advocate and director of the Open Technology Institute at New America, based in Washington, D.C., said on Twitter that this statement "ignores how [a] vast amount of data is still obtainable by the government."

Bankston told SearchSecurity on Twitter that Comey's claims he didn't want an encryption backdoor was "semantic posturing. What he describes wanting, by analogy to FBI's managed device system, is a quintessential backdoor."

Comey also attempted to debunk the argument that metadata is enough for law enforcement.

"metadata is wonderful. The digital dust that bad guys leave is very, very valuable to us. It is no substitute for content, especially when the tools that I use require us -- and I like it this way -- to prove guilt to incapacitate beyond a reasonable doubt," Comey said. "You try proving guilt beyond a reasonable doubt off of metadata ... very, very tall order. And maybe we don't care, but we should talk about it."

International cooperation

Comey also suggested whatever the final decision is in the encryption debate, it needs to have an "international component."

"I could imagine a community of nations committed to the rule of law developing a set of norms, a framework for when government access is appropriate -- what judicial standards are at work, what the obligations appropriately are -- because I don't want any part of chasing the innovation from this great country to other places," Comey said. "I think folks get this, but I'll say it anyway: There's a danger that we -- the mother and father of all this innovation -- will be the last to solve it among the community of nations, because the people of France and Germany and the U.K. and Australia are working to solve this problem. And we may end up in a place where patchwork addressing of the challenge I'm talking about leads to something that hurts American enterprise -- a balkanization of data, for example, [or] an inconsistent set of standards. But, look, it's [going to] be very, very hard for technical reasons ... and the nature of that international mix that we have to address."

Herold said an international coalition would likely not include Russia and China, and even "if China and Russia would actually be on board, they'd still be using their own strong encryption to protect their own data."

"It seems unbelievably naïve of him to think, given all these investigations he has participated in that involve nation-state surveillance, that such a framework requiring cooperation and strict adherence to the rules would ever be possible," Herold said. "If most countries are already participating in nation-state hacking and surveillance, they would be absolutely giddy to have a nice framework to use to more easily get to data that would be valuable to them."

Next Steps

Learn more about why experts say lawmakers don't understand the encryption debate.

Find out why the CIA chief thinks encryption backdoors would affect U.S. business.

Get info on the nuanced views of the encryption debate.

Dig Deeper on Security operations and management

Enterprise Desktop
Cloud Computing